User Tools

Site Tools


doc:howto:netfilter

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
doc:howto:netfilter [2013/10/22 12:18]
lorema +nftables, will come with Linux kernel 3.13
doc:howto:netfilter [2015/01/13 21:29] (current)
cdeez [Explanation]
Line 1: Line 1:
-====== Netfilter ====== +====== Netfilter/​Nftables ​====== 
-[[http://​www.netfilter.org/​|Netfilter]] is the packet filtering framework inside the [[wp>​Linux kernel]]. It allows for packet filtering, network address [and port] translation (NA[P]T) and other packet manipulations. It is far more than a simple firewall and very powerful!+[[http://​www.netfilter.org/​|Netfilter]] is the packet filtering framework inside the [[wp>​Linux kernel]]. It allows for packet filtering, network address [and port] translation (NA[P]T) and other packet manipulations. It is far more than a simple firewall and very powerful! ​For Nftables, see [[#​Nftables]] further down this wikipage.
  
 Usually the user space programs <color red>​**''​iptables''​**</​color>,​ <color red>​**''​ip6tables''​**</​color>,​ <color red>​**''​ebtables''​**</​color>​ or <color red>​**''​arptables''​**</​color>​ are utilized to //​configure//​ the handling of network packets. Please see this scheme **[[http://​upload.wikimedia.org/​wikipedia/​commons/​d/​dd/​Netfilter-components.svg|Netfilter Components]]** by Jan Engelhardt about some overview over current and future netfilter components. Usually the user space programs <color red>​**''​iptables''​**</​color>,​ <color red>​**''​ip6tables''​**</​color>,​ <color red>​**''​ebtables''​**</​color>​ or <color red>​**''​arptables''​**</​color>​ are utilized to //​configure//​ the handling of network packets. Please see this scheme **[[http://​upload.wikimedia.org/​wikipedia/​commons/​d/​dd/​Netfilter-components.svg|Netfilter Components]]** by Jan Engelhardt about some overview over current and future netfilter components.
Line 14: Line 14:
 Please have a look at this most excellent scheme: **[[http://​upload.wikimedia.org/​wikipedia/​commons/​3/​37/​Netfilter-packet-flow.svg|Netfilter Packet Flow]]** by Jan Engelhardt to understand how a packet traverses netfilter. The green stuff is the domain of ''​iptables''​ and ''​ip6tables'',​ while the blue stuff is being handled by ''​ebtables''​. Please have a look at this most excellent scheme: **[[http://​upload.wikimedia.org/​wikipedia/​commons/​3/​37/​Netfilter-packet-flow.svg|Netfilter Packet Flow]]** by Jan Engelhardt to understand how a packet traverses netfilter. The green stuff is the domain of ''​iptables''​ and ''​ip6tables'',​ while the blue stuff is being handled by ''​ebtables''​.
  
-Do not make the mistake to place your LAN on the left side and the Internet on the right side in your mind. They are both on both sides! When a packet enters the Linux Kernel (= that is the ingress buffer of the [[wp>​Network interface controller|NIC]] /​[[wp>​Wireless network interface controller|WNIC]]) it always comes in on the left side, regardless on which [[doc:​networking:​network.interfaces|interface]] it arrives. It traverses the network stack and then netfilter and when it leaves, it always leaves at the right side. While the packet traverses netfilter, netfilter looks for rules that match that network packet. When a rules matches a packet, that rule is being applied to that particular packet. This means the packet is being send to the TARGET specified in that rule. As soon as the network packet ​is matching ​a rule, this rule is being applied to it, and the packet stops traversing that table of netfilter! There are few exceptions to this behavior, e.g. the TARGETs ''​-j LOG'',​ ''​-j CUSTOM_CHAIN''​ or ''​-j MARK''​.+Do not make the mistake to place your LAN on the left side and the Internet on the right side in your mind. They are both on both sides! When a packet enters the Linux Kernel (= that is the ingress buffer of the [[wp>​Network interface controller|NIC]] /​[[wp>​Wireless network interface controller|WNIC]]) it always comes in on the left side, regardless on which [[doc:​networking:​network.interfaces|interface]] it arrives. It traverses the network stack and then netfilter and when it leaves, it always leaves at the right side. While the packet traverses netfilter, netfilter looks for rules that match that network packet. When a rule matches a packet, that rule is being applied to that particular packet. This means the packet is being sent to the TARGET specified in that rule. As soon as the network packet ​matches ​a rule, this rule is applied to it, and the packet stops traversing that table of netfilter! There are few exceptions to this behavior, e.g. the TARGETs ''​-j LOG'',​ ''​-j CUSTOM_CHAIN''​ or ''​-j MARK''​.
  
 ===== Configuration ===== ===== Configuration =====
Line 79: Line 79:
 ===== Examples ===== ===== Examples =====
 You find some example shell scripts below: You find some example shell scripts below:
- 
   * [[doc:​howto:​netfilter:​netfilter.iptables.example1]] very simple script for setting up NAT (IPv4 only, IPv6 has no NAT)   * [[doc:​howto:​netfilter:​netfilter.iptables.example1]] very simple script for setting up NAT (IPv4 only, IPv6 has no NAT)
   * [[doc:​howto:​netfilter:​netfilter.iptables.example2]] simple script with filters (such an implementation is usually called a //​firewall//​)   * [[doc:​howto:​netfilter:​netfilter.iptables.example2]] simple script with filters (such an implementation is usually called a //​firewall//​)
Line 130: Line 129:
  
 ===== nftables ===== ===== nftables =====
-''​nftables'' ​ is the successor ​of all of the above programs ​and one will replace themToday it is in Alpha-Status: [[wp>nftables]]+[[wp>​nftables]] is the successor of netfilter. Its user space utility **''​nft''​** replaces the entire ''​{ip,​eb,​arp,​ip6}tables''​ user space tool set. It still uses the netfilter architecture for complex extensions and is part of the netfilter project. 
 +The command-line user space utility is called **''​nft''​** and there is an API and library interface to it (''​libnftables''​). There is also an iptables to nft handle userspace conversion tool which will ease migration. 
 +nftables is a major departure in that there is no need for deep protocol awareness in the kernel modules as everything filter related is handled by a basic virtual machine. 
 +  * [[http://​netfilter.org/​projects/​nftables/​|nftables homepage]] + [[http://​article.gmane.org/​gmane.comp.security.firewalls.netfilter.devel/​44685|Announcement]] 
 +  * [[https://​home.regit.org/​netfilter-en/​nftables-quick-howto/​|Nftables quick howto]] 
 +    * The user space utility is called **''​nft''​**,​ its input resembles slightly that of **''​[[/​doc/​howto/​packet.scheduler/​packet.scheduler|tc]]''​** 
 +  * https://​dev.openwrt.org/​ticket/​14415 
 + 
 +The OpenWrt developers are aware of the nftables developments, ​and will migrate as soon as OpenWrt adopts a 3.13 kernel. Linux kernel version 3.13 was released 2014-01-20, [[http://​lkml.indiana.edu/​hypermail/​linux/​kernel/​1311.0/​00914.html|Linux 3.12 released .. and no merge window yet .. and 4.0 plans?]]. 
 + 
 +  * Anybody who wants to help in development,​ shall feel free to send patches: 
 +    * for the OpenWrt operating system, see https://​dev.openwrt.org/​wiki/​SubmittingPatches 
 +    * for the [[:​doc:​uci|UCI]] wrapper C-language firewall, see http://​nbd.name/​gitweb.cgi?​p=firewall3.git;​a=summary 
 +  * The proper place for technical discussion on nftables migration is the the OpenWrt development mailing list: https://​lists.openwrt.org/​cgi-bin/​mailman/​listinfo/​openwrt-devel 
 +  * The proper place for general discussions/​ideas is the OpenWrt Forum: https://​forum.openwrt.org/​ 
 +  * The proper place for documentation is either **this wiki page** or **[[doc/howto/nftables]]**. 
 +    * The proper place for documentation of the C-language wrapper firewall is [[doc:​uci:​firewall]]. 
  
 ==== Modules for match/​TARGET ==== ==== Modules for match/​TARGET ====
Line 148: Line 164:
 | iptables-mod-hashlimit ​       |   ​| ​  5554 | iptables extensions for hashlimit matching Includes: - libipt_hashlimit ​ | | iptables-mod-hashlimit ​       |   ​| ​  5554 | iptables extensions for hashlimit matching Includes: - libipt_hashlimit ​ |
 | iptables-mod-imq ​             |   ​| ​  2220 | iptables extension for IMQ support. Includes: - libipt_IMQ, use it's successor => ''​[[http://​www.linuxfoundation.org/​collaborate/​workgroups/​networking/​ifb|kmod-ifb]]''​ | | iptables-mod-imq ​             |   ​| ​  2220 | iptables extension for IMQ support. Includes: - libipt_IMQ, use it's successor => ''​[[http://​www.linuxfoundation.org/​collaborate/​workgroups/​networking/​ifb|kmod-ifb]]''​ |
-| iptables-mod-ipopt ​           |   ​| ​ 22438 | iptables extensions for matching/​changing IP packet options. Includes: - libipt_CLASSIFY - libipt_dscp/​DSCP - libipt_ecn/​ECN - libipt_length - libipt_mac - libipt_mark/​MARK - libipt_statistic - libipt_tcpmms ​- libipt_tos/​TOS - libipt_ttl/​TTL - libipt_unclean ​ |+| iptables-mod-ipopt ​           |   ​| ​ 22438 | iptables extensions for matching/​changing IP packet options. Includes: - libipt_CLASSIFY - libipt_dscp/​DSCP - libipt_ecn/​ECN - libipt_length - libipt_mac - libipt_mark/​MARK - libipt_statistic - libipt_tcpmss ​- libipt_tos/​TOS - libipt_ttl/​TTL - libipt_unclean ​ |
 | iptables-mod-ipp2p ​           |   ​| ​  3315 | IPP2P iptables extension ​ | | iptables-mod-ipp2p ​           |   ​| ​  3315 | IPP2P iptables extension ​ |
 | iptables-mod-iprange ​         |   ​| ​  3627 | iptables extensions for matching ip ranges. Includes: - libipt_iprange ​ | | iptables-mod-iprange ​         |   ​| ​  3627 | iptables extensions for matching ip ranges. Includes: - libipt_iprange ​ |
Line 202: Line 218:
   * [[http://​www.linuxhomenetworking.com/​wiki/​index.php/​Quick_HOWTO_:​_Ch14_:​_Linux_Firewalls_Using_iptables#​Figure_14-1_Iptables_Packet_Flow_Diagram|LHN Fig.14]]   * [[http://​www.linuxhomenetworking.com/​wiki/​index.php/​Quick_HOWTO_:​_Ch14_:​_Linux_Firewalls_Using_iptables#​Figure_14-1_Iptables_Packet_Flow_Diagram|LHN Fig.14]]
   * [[http://​www.rigacci.org/​wiki/​lib/​exe/​fetch.php/​doc/​appunti/​linux/​sa/​iptables/​conntrack.html|on conntrack]]   * [[http://​www.rigacci.org/​wiki/​lib/​exe/​fetch.php/​doc/​appunti/​linux/​sa/​iptables/​conntrack.html|on conntrack]]
 +  * [[http://​ipset.netfilter.org/​iptables-extensions.man.html|List of available extensions to netfilter/​iptables]]
doc/howto/netfilter.1382437088.txt.bz2 · Last modified: 2013/10/22 12:18 by lorema